From c5ec439c2fff623f9ff3625daff7ab57b4784347 Mon Sep 17 00:00:00 2001
From: Martin Miglio <marmig0404@gmail.com>
Date: Sat, 7 Oct 2023 17:29:05 -0400
Subject: [PATCH] use OIDC for publishing to pypi

---
 .github/workflows/deploy-pypi.yml | 33 ++++++++++++++++++++++++++++---
 1 file changed, 30 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/deploy-pypi.yml b/.github/workflows/deploy-pypi.yml
index ab272c4..c4a0894 100644
--- a/.github/workflows/deploy-pypi.yml
+++ b/.github/workflows/deploy-pypi.yml
@@ -6,7 +6,7 @@ on:
       - "v*.*.*"
 
 jobs:
-  deploy:
+  release-build:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -19,9 +19,36 @@ jobs:
           cache: "poetry"
       - name: Install package and dependencies
         run: |
-          poetry install --without dev
+          poetry install --without dev --with tests
       - name: Build and publish
         run: |
           poetry version $(git describe --tags --abbrev=0)
           poetry build
-          poetry publish --username ${{ secrets.PYPI_USERNAME }} --password ${{ secrets.PYPI_API_TOKEN }}
+      - name: Verify wheel using twine
+        run: |
+          poetry run twine check dist/* --strict
+      - name: Upload release distributions
+        uses: actions/upload-artifact@v3
+        with:
+          name: release-dists
+          path: dist/
+
+  pypi-publish:
+    runs-on: ubuntu-latest
+    needs:
+      - release-build
+    environment:
+      name: pypi
+      url: https://pypi.org/p/pymemuc
+    permissions:
+      id-token: write
+    steps:
+      - name: Retrieve release distributions
+        uses: actions/download-artifact@v3
+        with:
+          name: release-dists
+          path: dist/
+      - name: Publish release distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          print-hash: true